The recent Paris AI Summit made headlines as the US and UK declined to support a diplomatic declaration for inclusive and sustainable AI. This decision underscores the growing challenges of achieving global consensus on AI governance.
As AI innovation accelerates, fragmented regulations could create roadblocks for enterprises, making governance, risk management, and compliance (GRC) a defining factor in the future of AI adoption.
To understand how this is affecting businesses today, we collaborated with GRC industry leaders like Drata, FloQast, AuditBoard, and more to uncover how technology products can succeed in the absence of universal AI governance.
GRC leaders and leading software developers are careful about the risk vs. reward balance, constantly trying to tip the scales in their favor while being fair.
From strategic hesitation to reputational risks, the following sections explore the key challenges businesses are navigating in this fragmented governance landscape.
Without universal policies, organizations face FOMO (fear of missing out) and are forced to navigate the wild west of AI innovation on calculated plays. Organizations are also threatened with operational inefficiencies, compliance burdens, and strategic uncertainty. "The lack of a universal AI policy definitely holds organizations back from innovation as they struggle with fragmented AI regulations," says Matt Blumberg, Chief Executive Officer at Acrolinx.
While small and medium businesses express their concerns around not having blanket policies, enterprise businesses are more pragmatic about the current state of affairs.
"Clear regulations provide a crucial point of trust that aligns companies with compliance best practices. The lack of it does the opposite," comments Patricia Thaine, Chief Executive Officer and Co-founder at Private AI.
Trust builds reputation — and when trust is in question, so is everything else. In the absence of universal AI governance, high-stakes assets like customer data and intellectual property become even more vulnerable. That’s why organizations are leaning more heavily on cybersecurity frameworks and capable GRC platforms to fill the gap.
And as regulations evolve, the stakes only get higher. Real-time compliance monitoring across multiple frameworks is no longer a nice-to-have — it's essential to preserving stakeholder trust and brand credibility.
"Emerging regulations add another layer of complexity to maintaining trust," asserts Matt Hillary, Vice President of Security & CISO at Drata.
Despite the scope of opportunity for harnessing AI, highly regulated industries like finance remain laggards due to regulatory or, shall we say, lack of regulatory guidelines.
"The lack of clear policies also increases trust barriers for AI adoption in finance," comments Mike Whitmire, Chief Executive Officer and Co-founder at FloQast.
Yes and no. Our GRC and AI experts offered mixed responses, reflecting the yin-yang relationship between governance and innovation.
An enabler and a challenge
While governance serves as a protective measure, it must evolve alongside AI advancements. We explore this sentiment that highlights the tightrope organizations must walk by exploring aspects of the balancing act organizations face daily.
"Governance, and the application of controls for any technology, enables organizations to safely and carefully implement technologies that can otherwise be deemed dangerous or not secure," highlights Tara Darbyshire, Co-founder and EVP at SmartSuite.
Some experts argue that governance, due to its slower pace, is not the roadblock but the enabler of AI innovation.
The real challenge lies in how the market navigates AI adoption amid reputational risks and balancing too many innovation shackles with little control and vulnerability.
AuditBoard’s CISO, Richard Marcus, warns of the dangers of an unregulated approach and unclear governance frameworks by highlighting the unintended rise of "shadow AI" — a phenomenon where employees use unsanctioned AI tools outside approved IT frameworks.
He also discusses the opportunity cost of a blanket prohibition on AI.
These tensions make one thing clear: organizations aren’t just navigating governance, they’re DIY-ing it. And behind these decisions lie the tools they trust. That’s where the need to look at data-backed perspectives from real software users comes in. Let’s understand how governance plays out on the ground.
Since AI governance as a concept and as a technology is just getting started, we honed in on G2 data from the GRC and security compliance categories to supplement this analysis and ensure a balanced view of the governance landscape.
"The AI governance tools market is still in its infancy. With little formal AI regulation, any governance standards a company sets today could be overruled tomorrow if they become too costly, complex, or unpopular. Organizations must balance risk with pragmatism," observes Lauren Worth, Senior Market Research Analyst at G2.
Join industry leaders at G2's free AI in Action Roadshow for actionable insights and proven strategies to reimagine your funnel. Register now
An overarching trend across three categories, namely, GRC tools, AI governance tools, and security compliance tools, is that businesses aren’t software hopping. The majority of the reviews revealed that the software purchased was new. Which means:
Now that we’ve explored the reputational risks and challenges around adopting AI without clear governance, let’s shift gears to how tools meant to solve these challenges are actually performing. Are they delivering on their promise? What do real users have to say?
Across GRC tools, AI governance solutions, and security compliance software categories, user sentiment is broadly positive, though usability and setup complexity remain friction points, particularly for smaller teams.
It’s one thing for governance tools to earn high satisfaction scores, but how quickly do they deliver value after implementation? That’s where return on investment (ROI) becomes a key marker of effectiveness, especially for teams under pressure to prove impact fast.
Despite users showing high satisfaction, the time to ROI varies sharply. A clear pattern emerges across GRC tools, AI governance tools, and security compliance software categories: business size significantly impacts time to ROI.
Small businesses consistently report faster returns, likely due to simpler needs and streamlined deployments. In contrast, enterprises tend to experience longer timelines, reflecting more complex implementation, integration, and scaling challenges.
Mid-market businesses have a complex approach to deploying these tools, which is reflected in the data mix.
Beyond just business size, another stark observation is the time to ROI within the categories themselves.
GRC tools show remarkably fast ROI across all business sizes, with no users reporting timelines beyond six months. This suggests mature products with efficient deployments for both enterprises and leaner small business use cases.
GRC software time to ROI:
“The market does seem to favor GRC platforms because of the efficiencies of using one tool to accomplish a lot of things and the cost-savings that can be achieved,” says Lauren Worth, Senior Market Research Analyst at G2.
Smaller businesses report the fastest returns, likely driven by less complexity in implementation. Mid-market companies show a mixed picture, while enterprise users consistently reported ROI in 7–12 months, highlighting the demands of scaling AI responsibly.
AI Governance tools time to ROI:
Small businesses benefit from fast deployments, while enterprises face longer cycles due to more complex compliance frameworks, integration needs, and evolving AI policies.
Notably, this is the only category with a highly fragmented ROI timeline which likely reflects the wide range of use cases, maturity levels, and implementation models across teams and geographies.
Security compliance software time to ROI:
Before we jump to conclusions, it is important to know that there’s a lot more than what currently meets the eye. The governance and innovation gap creates a unique tension for leaders, leaving them with burning questions:
And the answers? We got you. This is a two-part series, and in part two, we’ll answer these questions with data-backed insights, leadership role-specific satisfaction breakdowns, and behind-the-scenes playbooks from GRC and security leaders driving AI innovation responsibly.
You won’t want to miss how Drata, AuditBoard, FloQast, and other leaders are transforming compliance from a constraint into a strategic superpower.
Enjoyed this deep-dive analysis? Subscribe to the G2 Tea newsletter today for the hottest takes in your inbox.
Edited by Supanna Das
In a recent meeting with G2's Executive Advisory Board (EAB), our leadership team discussed...
by Godard Abel
We recently had the opportunity to host representatives from G2’s Executive Advisory Board...
by Godard Abel
I recently had the pleasure of interviewing Yamini Rangan at our annual G2 Reach event.
by Godard Abel